I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

For some reason, they have deigned to take this opportunity to print_r their database access credentials in their 503 downtime notice. Their MySQL hostname, username and password are exposed by this, along with a few tidbits of information about the directory structure of the web server and the names of their database tables.

Presumably somebody has left a debug print_r in there to output details of any failed queries. Normally it's fine, but now that the database is browned out, everything gets printed to everyone right at the moment they're getting the most traffic. Here is my favourite query:

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

As I continue to stare in disbelief at this stack trace, I'm starting to build up a mental picture of the amount of WTF that resides in this codebase. For example, the misspelled "persistant" attribute of the MySQLDatabase class. And the mysterious "load_definesymbols" function.

And by the way, what is it with highly-experienced professional PHP software engineers and inventing their own file suffixes? I swear I see this in literally every bespoke PHP codebase I encounter. In this case they've gone with ".lib", presumably to differentiate their high quality reusable code from your typical 1000 line procedural page generator PHP script. But I've come across things like .inc, .class, .tpl, or even .class.php in various different places.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

It's been over a decade since my PHP days, but changing the file extension and .htaccess was a cheap-and-dirty way to stop Apache from serving up PHP files that should never be hit directly. It also helped to differentiate the purpose of the files. Note: I'm not defending this practice.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

"Presumably somebody has left a debug print_r in there to output details of any failed queries."
Seems perfectly reasonable. After all, it will be fully tested before going live, so there's no chance that this code will ever get executed in production.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

If it does (I honestly have no idea) it's almost certainly off by default and poorly documented.

With PHP, the question is not Does feature X exist in PHP? but rather Does any PHP developer know that feature X exists in PHP? PHP's documentation is so awful, and there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

Did you perhaps mean the `backtick syntax` that runs a string using the shell after doing normal variable replacements?
That's a language feature and is not gonna get deprecated or removed, since it does exactly what it was designed and the design has no flaws.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...
Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...

Uh.. Yes there is (for warnings at least). Print_r is the developer wanting to output data. Maybe he shouldn't ahve wanted to output it in this case.. but it was the developers intention.

As for hiding/showing errors... the common use is to NEVER show errors/warnings/notices on production, potentially to show them on development... and in the case of production to Log them to a file instead. Plus, if you really wanted to get creative, you could actually check for the current status of error reporting. If you are sending stuff to a log, you could trigger_error the print_r and send it to your error log as well.

Or if you were particularly apt.. not to rely on built-in logging functions (for print_r on DB fail) and build your own logging utility

Just because PHP is easy to make fun of, doesn't mean that you're correct in your statements.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

It is? I thought the whole point of the private address space was that those IPs would never appear (or resolve) outside of a LAN, keeping traffic internal.

ObDerail: many years back we had a circular from Sage (financials) bleating all about their new products. At the bottom was a link we were invited to click on, which read something like: http://192.168.0.1/websites/default/pages/index.htm (no, that's not linkified). When I informed them of the link, their response was along the lines of "we tested it here and it works fine. If you're still experiencing problems, have your Network Administrator raise a ticket with your Internet Solutions Provider".

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

It is? I thought the whole point of the private address space was that those IPs would never appear (or resolve) outside of a LAN, keeping traffic internal.

The two aren't contradictory. It just saves having to host DNS on your private LAN to resolve addresses on your private LAN. Or in the cases where I've actually seen it, to provide a 'back-up' if the locally hosted DNS which does know about the hostnames fails for whatever reason.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

Yeah, still enabled. In fact, I had to use it in a production system the other day... BRB I need a drink.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

Or in the cases where I've actually seen it, to provide a 'back-up' if the locally hosted DNS which does know about the hostnames fails for whatever reason.

Ooohhh... yeah, that makes sense. Didn't think of that situation.

"whats the IP address of our internal staging webserver?"

"dunno. Ask the internet. They'll know..."

I'm using the trick of hosting an unresolvable TLD (.LAN) internally so that any FQDNs unrecognised by my DNS get chucked externally. Unfortuntely that means using the public A-REC for my server causes my laptop to hop out through the gateway only to stroll back in again. Makes my firewall frown at times.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root. I was more curious about if MySQL had something similar-- since they've exposed their db credentials. And people can log into the DB. And then run whatever_linux_cmdshell through a query.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

My uni circa 2001 ran student webpages on an apache running as root (AFAWCT) and had all staff and student usernames and passwords in a unencrypted file (somewhere under /etc from memory). And had a CGI script with a directory traversal bug. Oops!

Filed Under: Can you think of something that talks, other than a person?

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

If you're running Apache on Windows (which is goofy, but eh), then it's all in how you configure the service. IIS has its own account, of course, and gives anonymous Internet visitors to your site their own account (IUSR) for permissions purposes. And runs applications as "Network Service" by default. It's a little bit of a pain to configure it all, but it's a lot more secure by default.

The idiots I've been having to work with for the last few months have Nginx running as root on their Ubuntu servers. I'll have to talk to them about that.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

Under Linux, Apache starts as root but then switches user to "apache" or "httpd" to run lower-priv'd. It's possible to run as non-root but it involves some sudo trickery to allow a non-root account to switch to another user without authentication credentials, so most people start/stop the service as root knowing it runs in an unpriv'd context.

Modules like suPHP allow PHP code to run in the context of another user (separate from Apache) so any trojaned site affects just that account and not other accounts.

Under Windows, Apache is installed as a service but can be given separate logon credentials, in much the same way that IIS no longer runs as Administrator.

Lorne Kates:

I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

Of course, it doesn't stop someone from doing precisely that. I've encountered many websites containing root-owned files with change permissions set completely open (777) because permissions weren't set properly on the webroot area - so someone rootwalked into it, then set the permissions to 777 because Apache couldn't read root-owned content.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

It depends purely on setup. Apache wants to start as root wherever possible (for some reason linxu complains when normal permission applications try to grab a port) , but you can tell it to run as its own user. PHP will want to run as the Apache user, unless you use SuPHP to have each Apache/php process run as the websites user (which is good for security, but a pain in other ways).

You could alway chroot Apache or Lighttpd as well to be super super secure.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

The problem with PHP has always been that 95% of what you find online is n00b garbage that teaches either only the basics or teachs the wrong things. PHP isn't a bad language (although ugly as sin) when it's used by a software developer who understands things like design patterns, OOP, MVC and unit tests. The problem is most of your PHP "developers" either found one of the aforementioned bad tutorials or picked up an equally bad book, learned the basics, and started marketing themselves as a professional developer.

There was a quote that I read once comparing Ruby on Rails to PHP and it seems fairly apt here; replace Rails with pretty much any other language/platform: [Rails] makes it easy to write good code and hard to write bad code. PHP makes it easy to write bad code and hard to write good code.

The Daily WTF Forums. You will never find a more wretched hive of scum and villainy.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

There was a quote that I read once comparing Ruby on Rails to PHP and it seems fairly apt here; replace Rails with pretty much any other language/platform: [Rails] makes it easy to write good code and hard to write bad code. PHP makes it easy to write bad code and hard to write good code.

I highly doubt that. I've seen languages that make writing good code easier--that's one of the main reasons I prefer Delphi--but I've never seen any language or framework that makes it any harder for a bad programmer to write bad code. I honestly doubt such a thing exists. Stupidity will always find a way.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

Oh it's still there, but I don't know many sane reasons why it would be used.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.

The real problem though is the sheer number of bad tutorials out there still not advising about things like SQL injection, still advising the new dev to do some unbelievably stupid things.

It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

I blame StackOverflow for that. Problem? jQuery is the answer! No matter what the problem is! Desktop app? Well embed a Webkit so you can run jQuery! Database? Well write a quick function that can call out to jQuery! If you can't do it in jQuery it can't be done!

At least they tried to make a better programming Q&A site. "Game-ify-ing" it just made it awful again though.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

I blame StackOverflow for that. Problem? jQuery is the answer! No matter what the problem is! Desktop app? Well embed a Webkit so you can run jQuery! Database? Well write a quick function that can call out to jQuery! If you can't do it in jQuery it can't be done!

At least they tried to make a better programming Q&A site. "Game-ify-ing" it just made it awful again though.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

What people like that don't get is the bloat jQuery adds. A normal event object is maybe, say, 2k of various data and pointers. A jQuery event object is like 5 times the size. And if you're not careful, you can wrap jQuery objects in jQuery objects in jQuery objects and make bloat-zilla.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

A normal event object is maybe, say, 2k of various data and pointers. A jQuery event object is like 5 times the size.

[citation needed]

I do find this hard to believe, considering the total number of events a page fires off in normal use. You could see dozens of events a second just from waving your mouse around; eg mouseover, mousemove, mouseout. If it had this much overhead, I would expect these sites to perform like mud, and I really haven't seen many terribly-performing sites even when the site's author drank the whole pitcher of jQuery kool-aid.

Window.event, even considering all the proprietary extra junk that might be on it, I'd say at most has a couple dozen properties; if we guess two dozen properties at an average of 32-bits each, we only account for 768 bytesbits (92 bytes).

A jQuery object might be as bloated as you say, I'm not sure how to actually measure it, but it sounds like a number pulled out of thin air.

Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

I do find this hard to believe, considering the total number of events a page fires off in normal use. You could see dozens of events a second just from waving your mouse around; eg mouseover, mousemove, mouseout. If it had this much overhead, I would expect these sites to perform like mud, and I really haven't seen many terribly-performing sites even when the site's author drank the whole pitcher of jQuery kool-aid.

Window.event, even considering all the proprietary extra junk that might be on it, I'd say at most has a couple dozen properties; if we guess two dozen properties at an average of 32-bits each, we only account for 768 bytesbits (92 bytes).

A jQuery object might be as bloated as you say, I'm not sure how to actually measure it, but it sounds like a number pulled out of thin air.

jQuery creates new objects for each event that was triggered with it. It's not just a wrapper for addEventListener. That's not the only thing it does though. It creates a copy of the DOM as an object to allow it to search and manipulate the DOM more easily. Every match you make on the DOM using a jQuery selector is another object. This is what leads to the bloat.